An Oxymoron : Static Analysis of a Dynamic Language (Part 3)

An Oxymoron : Static Analysis of a Dynamic Language (Part 3)

TypeScript to the rescue

From the previous post we concluded that JavaScript contains a number of features that makes it a challenge to analyze and detect bugs in:

  1. JavaScript is an object-based language that uses prototype objects to model inheritance. This is highly dynamic as prototype links can be manipulated at runtime.
  2. Objects are mappings from strings (property names) to values. In general, properties can be added and removed during execution and property names may be dynamically computed.
  3. Undefined results, such as accessing a non-existing property of an object, are represented by a particular value undefined, but there is a subtle distinction between an object that lacks a property and an object that has the property set to undefined
  4. Values are freely converted from one type to another type with few exceptions. In fact, there are only a few cases where no automatic conversion applies: The values null and undefined cannot be converted to objects and only function values can be invoked as functions. Some of the automatic conversions are non-intuitive and programmers should be aware of them.
  5. Variables can be created by simple assignments without explicit declarations, but attempts to read absent variables result in runtime errors. JavaScript’s with statement breaks ordinary lexical scoping rules, so even resolving variable names is a nontrivial task.
  6. With the eval function, a dynamically constructed string can be interpreted as a program fragment and executed in the current scope

To mitigate from these issues, Microsoft developed TypeScript, an open-source programming language that is a strict superset of JavaScript with static typing and class-based object-oriented programming. Thus, any existing JavaScript programs are also valid TypeScript programs. Using TypeScript, static typing via type annotations enables type checking at compile time. TypeScript provides both declarations with the extension .d.ts and implementations with the extension .ts , where the former include interfaces and the latter include concrete code. The declaration files assign types to API objects with newly defined types as interface, class, and enum. To allow TypeScript programs to use existing JavaScript libraries, the DefinitelyTyped project provides a set of TypeScript declaration files for frequently used JavaScript libraries.

Organizations are embracing TypeScript to develop new services and libraries. However there are plethora of applications that were implemented and still sustained based on vanilla javascript.

Given the ubiquity of JavaScript, it is crucial to discover security vulnerabilities possibly introduced by use of its dynamic features. Websites usually contain both user interaction and third party components. If these components are untrusted, then they may be used to exploit vulnerabilities. For example, a malicious user (or package) might inject an input string value that can be parsed into executable JavaScript code which, if not properly sanitized, can cause a cross-site scripting attack.

A more precise approach for securing JavaScript applications proposed by researchers and industry practitioners, is taint analysis.

Many security problems can be formalized as information flow problems which seek to preserve the integrity of data (i.e., not allow untrusted values to affect a sensitive value or operation) and confidentiality of data (i.e., keep sensitive values from being observed from outside the computation).

Taint analysis detects flows of data that violate program integrity and data confidentiality.

In the next part of this series we will illustrate how these challenges of applying taint flow analysis in an untyped and asynchronous event handling paradigm.

An Oxymoron : Static Analysis of a Dynamic Language (Part 3) was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Chetan Conikee. Read the original post at: